HIPAA Consult

March 4, 2005

Answers to your questions about...paper record disposal; deceased patients and privacy; rights of a surviving spouse; faxes and the security rule

A Although HIPAA doesn't dictate precisely how you should discard old records, it does say that the method you use should effectively protect patient privacy. So, for example, some practices use locked trash bins for paper containing protected medical information, and then contract with a vendor to shred or incinerate this material after removal.

Deceased patients and privacy Q I've been told that the HIPAA privacy rule no longer applies after a patient dies. Is this correct?

Although broad, these rights are not unlimited. For example, access to psychotherapy notes (notes maintained by a mental health professional separate from the medical record) may be denied. Doctors may also deny access to the patient's medical record if they or another licensed healthcare professional believe it's reasonably likely that granting such access will endanger someone's life or physical safety. If you do deny access, the patient's personal representative retains the right to appeal the denial to a neutral third party.

Rights of a surviving spouseQ Does a spouse have unlimited access to a deceased patient's medical record?

A No. A spouse is entitled to access a deceased patient's records only if he or she is the executor or administrator of the estate, or is otherwise authorized to act on its behalf. In such cases, the spouse must be treated as a personal representative with the same rights as the patient.

Faxes and the security rule Q Are faxes containing protected health information regulated by the HIPAA security rule?

A No. Regular paper faxes aren't considered protected health information under the rule, which only covers information in electronic form. But when someone requests information from a computer, through either a voice or telephone keypad command, and that request is returned as a fax, the communication is covered under the security rule. This isn't because "faxbacks," as they are known, have computers in them but because they are used as an input and output device for computers.

According to the government, "employment of telephone voice response and/or faxback systems will generally require security protection by only one of the parties involved, but not the other." The party that must protect the information is the one responding to the request, since the information she is returning is "already in electronic form and stored in a computer."

Margaret M. Davino (mdavino@kbrny.com
) is a healthcare attorney with Kaufman Borgeest & Ryan, in New York City.

This department answers common HIPAA-related questions. It isn$apos;t intended to provide specific legal advice. Please submit questions via e-mail to mehipaa@advanstar.com, or by regular mail to Medical Economics, 5 Paragon Drive, Montvale, NJ 07645, ATTN: HIPAA CONSULT. If we select your query, we'll address it in an upcoming issue. Your name will not be used.